Make rename-able DKIM DNS record

potemkin_ai

As a follow up for the thread earlier, as a security measure, it would be nice to avoid Cloudron service discovery via DNS naming and hence make DKIM record renaeable (or other way to keep it unique and not service name specific).

murgero

@potemkin_ai AFAIK there is no real security benefit to making it re-namable. If the cloudron is internet accessible (assuming it is since you mention dkim records) then the login page (or other app is accessible) which with a simple web browser one can tell it's a Cloudron install.

A better security measure would be to make sure SSH is only accessible by YOU (limit IPs that can access it, Private Key Authentication, etc) and use 2fa on all apps that support it.

potemkin_ai

@murgero nothing stops me from putting a firewall or/and web proxy in front of the instance, keeping all of the benefits, without exposure

robi

Let's agree that making it renamable is useful for other scenarios more so than security by obscurity.

potemkin_ai

@robi

murgero

@potemkin_ai You can definitely do that - but some services need to be accessible from the outside in order to work (like web services, some email service(s), etc etc.)

Making it renamable for the sake of security is pointless - however, if you were to rename it for other reasons or just to rename it then I don't see the issue in allowing admins to do so.

As @robi suggested - it can be useful in other scenarios. I just don't see the difference in a publicly hosted Cloudron and one where you obscure one part of it - Unfortunately there is no way to hide the fact you are running Cloudron from a malicious actor. At least not yet.

potemkin_ai

@murgero I didn't say it wouldn't be accessible; it would, just through my proxies, that make sure to remove any information, that would help in disclosure.

You also miss an option with Intranets.